5 Step Data Security Plan for Small Businesses


Published on

The following presentation presents a 5 step data security plan for small businesses. The plan is easy and inexpensive to implement, and it will provide you a strong plan to protect your proprietary company assets as well as your client's information. To learn more or to read the article, please visit http://www.wilkins-consulting.com/small-biz-security-plan.html.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

5 Step Data Security Plan for Small Businesses

  1. 1. 5 Step Data Security Plan for Small Businesses<br />Based on ISO 27001 Principles<br />
  2. 2. A recent Trend Micro survey that showed that only "49% of small companies view data leakage as a serious threat, while 63% were more concerned about viruses."<br />But here is an alarming statistic: On November 3, 2010, the Privacy Rights Clearinghouse released a report that among other items showed that "80 percent of small businesses that experience a data breach either go bankrupt or have severe financial difficulties within two years."<br />
  3. 3. Let Me Share Two Recent Examples<br />Incident 1: <br />- 4 person organization hires new sales manager to grow business<br /> - Employee leaves after 6 months, but created his own competing company while working there<br /> - Organization had no access control plan in place so ex-employee continued to receive work emails forwarded to his personal email account for several months after leaving<br /> - Organization was faced with spending $1000s in litigation while facing the loss of several key clients<br />Incident 2:<br />- Involved a colleague of mine<br /> - Her healthcare provider’s office was broken into and computers were stolen<br /> - There was no protection on the computers, and over 400 patient financial records were accessed. My colleague’s bank account was compromised among many others.<br />
  4. 4. Step 1 – Asset Identification and Risk Assessment<br />Identify and record information assets – laptops, desktops, servers, wireless phones, etc<br />Classify information assets – High, medium, low<br />Risk assessment for each asset to determine the level of risk you are willing to accept<br />- Threats – Theft, damage, virus, etc<br /> - Vulnerability – High, Medium, Low<br /> - Impact of the loss to your business<br />Now let’s look at some examples<br />
  5. 5. Information Classification<br />Complete Risk Assessment<br />Asset: Network server that contains your company data<br />Classification: High because it contains classified and irreplaceable data.<br />Threats: HDD failure, virus, theft<br />Vulnerability: Medium – High<br />Impact: Very High<br />Level of Risk You Accept: <br /> - Use enhanced security measures: keep it locked up, behind a network firewall, and backed up. <br /> - Expensive to backup your main server with a second server for real-time redundancy so you backup to tape which will require a longer downtime (takes longer to restore a backup tape) if the server was damaged, but you protect your company.<br />
  6. 6. Step 2 – Network, Computer, Email Access Controls<br />Password authentication and change password every 90 days<br />Strong passwords <br /> - Minimum of 10 characters<br /> - Use at least 3 of the following 4 (letters, numbers, special characters, capitalized or lower-cased characters). <br />Employee network level access<br />Clean desk clear screen policy <br /> - Employee must sign off computer when they leave their desk. <br /> - Setup a password protected screensaver that will activate after 5 minutes. <br /> - Do not leave sensitive printed information on desks unattended. <br />Mobile computing <br /> - Access via programs such as VPN<br /> - Ensure connections to your network are securely authenticated<br /> - Password and virus/malware protect employee mobile phones<br />
  7. 7. Step 2 Con’t – Physical Access Controls<br />Network servers on your company premises - ensure they are encrypted and kept behind locked doors at a minimum. Limit employee access to servers. <br />If the data is sensitive, then consider enhanced access security such as biometric, video cameras, third party security monitoring, etc. Many of these controls can be put in place rather inexpensively. <br />If you host your corporate networks at a remote third party facility, keep it local if possible, and tour the remote facilities to ensure they have the proper physical and environmental protections. <br />
  8. 8. Step 3 – Network and Personal Security Controls<br />Encryption – Laptops, desktops, flash drives, servers, etc. TrueCrypt (free encryption software) www.truecrypt.org<br />Email encryption – MessageLock or PGP email encryption<br />Anti-virus - http://anti-virus-software-review.toptenreviews.com/<br />Downloads & System Acceptance – Test unknown downloads/upgrades before running company wide<br />Network Firewall – Update and scan regularly. www.openvas.org is a free vulnerability scanning software<br />Wireless Network – I do not recommend, but if you use one ensure WPA2 encryption.<br />
  9. 9. Step 3 – Network and Personal Security Controls<br />Ecommerce - Use Secure Sockets Layer (SSL) for receiving or transmitting credit card information<br />Network & Computer Backups <br />Very small company – Flash drive, hard drive, online with sites like Mozy or Carbonite, but encrypt first<br />Larger – Backup to tape (inexpensive and portable)<br />Consider a 3rd party network review at least yearly <br />
  10. 10. Step 4 – Paper Document Controls<br />Information Classification policy<br />Public – Anyone can view<br />Proprietary - Management approved internal/external access<br />Client Confidential – Management approved internal access<br />Company Confidential – Management approved internal access<br />Shred sensitive documents<br />Locked filing cabinets behind locked doors<br />
  11. 11. Step 5 – General Security Controls<br />Employee background checks and training - Review the Privacy Rights Clearinghouse http://www.privacyrights.org/fs/fs16b-smallbus.htm<br />Third party review/audit – at least yearly<br />Visitor policy<br /> - Sign in/sign out sheet<br /> - ID check<br /> - Name tags<br /> - Designated areas off limits<br />Incident Management System - Log any type of security incidents, how you corrected the issue, and how you will prevent it in the future.<br />
  12. 12. Step 5 – General Security Controls<br />Emergency Response Plan (Business Continuity/Disaster Recovery Plan)<br /> - Who is in charge and who is responsible for each action<br /> - Key personnel contact information - For contact and to set in motion pre-assigned duties and responsibilities. <br /> - Key contact information for service providers such as third party network administrators, security monitoring, phone, internet, etc. <br /> - Key contact information for your local police in addition to your legal representation <br /> - Backup communications plan – mobile phones, home phones, laptops, etc<br />
  13. 13. For More Information<br />Read the article: 5 Step Data Security Plan for Small Businesses http://www.wilkins-consulting.com/small-biz-security-plan.html<br />Connect with me on LinkedIn and download the presentation: http://www.linkedin.com/in/treywilkins<br />Contact me: trey@wilkins-consulting.com<br />